9 Network Considerations

9.1 Introduction

The number and types of users that you expect will need to access your network

This chapter describes the types of networking implementations upon which you can deploy Web applications, and the things you need to consider when deploying Web applications on each type.

9.2 Network Topologies

There are a number of terms used to describe the various networking implementations upon which you can deploy applications. In general, networks can be grouped into the following categories:

Internet is a network that is open to anyone with access to an Internet Service Provider (ISP). It uses data transmission standards drafted by the Internet Engineering Task Force (IETF).

Intranet is a network that is "owned" by a single organization that controls its security policies and network management.

Extranet is a network that is "owned" by multiple organizations, each of which may have their own network infrastructure, security policies, and users, thereby requiring an integrated approach to network management and security.

The primary difference between the Internet, intranets, and extranets is that an intranet and extranet are well defined by the controlling organization(s) and have a known body of users. Conversely, the Internet has an unknown body of users. Computers and networks that communicate via the Internet are unknown to each other until the time of connection. This means that there can be no previous coordination of encryption standards, user authentication, authorization, and so on.

These implementations are discussed in greater detail in the following sections:

9.2.1 Internet

The Internet is a network that is open to anyone with access to an Internet Service Provider (ISP). By connecting to the Internet, a user has access to other networked computers all over the world. If a computer that is connected to the Internet is not secured using hardware or software security methods, data on that computer is potentially accessible to anyone on the Internet.

9.2.2 Intranet

An intranet is a network that is "owned" by a single organization that controls its security policies and network management. Networked computers may be housed within a single physical location (for example, computers used for inventory control in a manufacturing plant), or they may be in different physical locations (for example, computers used at various branches of an insurance company).

Because the intranet is controlled by a single organization, all users who will attempt to access the network are known, and there is freedom in selecting the network structure, security policy, and software.

The following are examples of intranet-style networks:

Local-area network (LAN)

Wide-area network (WAN) that is comprised of a LAN that extends usage to remote employees with dial-up access

WAN that is comprised of interconnected LANs using dedicated communication lines

Virtual private network (VPN) that is comprised of a LAN or WAN that extends usage to remote employees or networks using special "tunneling" software that creates a secure, usually encrypted connection over public lines, sometimes via an Internet Service Provider (ISP)

9.2.3 Extranet

An extranet is a network that is "owned" by multiple organizations, each of which may have their own network infrastructure, security policies, and users. The networked computers are usually housed in different physical locations. In most cases, the different organizations share portions of their network data with each other. For example, the travel industry uses an extranet that allows travel agents to book flights and make other travel arrangements using data from networks owned by airlines and tour operators.

Like an intranet, there is a known body of users in an extranet. However, because the extranet is controlled by multiple organizations, an integrated approach to network management and security is required. In the travel industry example, the travel agencies and airlines would have to coordinate networking and security issues in order for travel agents to access airline booking information.

The following are examples extranet-style networks:

LANs or WANs belonging to multiple organizations and interconnected and accessed using remote dial-up

LANs or WANs belonging to multiple organizations and interconnected and accessed using dedicated lines

Virtual private network (VPN) that is comprised of LANs or WANs belonging to multiple organizations, and that extends usage to remote users using special "tunneling" software that creates a secure, usually encrypted network connection over public lines, sometimes via an ISP

Organizations sharing networked data and applications via an extranet must agree on the security protocols for user authentication, authorization, and data encryption. Security hardware, such as firewalls and routers, must be compatible.

9.3 Deploying Forms Server in your Network Environment

After studying how the Forms Server functions and determining the type of network setup that would work best for your company, you can implement Forms Server on your network. The following five sections describe networking options and some associated risks:

9.3.1 Deploying Over the Internet

Forms Server allows you to deploy your Forms applications over the Internet by encapsulating Forms messages in HTTP 1.1 packets. HTTP is one of the most widely used protocols for deploying applications on the Internet.

Many organizations have "locked-down" their firewalls by allowing only HTTP traffic, which greatly enhances the security of their private networks. (Most firewall companies support the HTTP standard in their products, and many organizations are willing to allow HTTP traffic in and out of their private networks.) Sites that allow only HTTP traffic will be able to easily deploy Forms Server through their existing firewall with little or no change to their configuration and with complete transparency to the client.

Although a strict security policy is still required to protect the internal company network, you can put application servers behind a firewall and in a demilitarized zone (DMZ) within the company network. The HTTP filter within the firewall is sufficient to restrict incoming traffic without the use of a VPN.

In addition, you can use SSL (secure sockets layer) with HTTP 1.1 for even more secure communications. SSL is a transport protocol that provides privacy, integrity, and authentication. SSL works at the transport level, which is one level below the application level. This means that SSL can encrypt and decrypt messages before they are handled by application-level protocols such as HTTP.

Deploying Forms Server on the Internet makes your application available to individual users on the Web, as well as to extranet customers, at a relatively low cost when compared to the other network deployment options. It enables organizations to run scalable, secure, and sophisticated new or existing Forms applications over the Internet.

9.3.1.1 Risks

To deploy applications on the internet with an HTTP socket connecion, CPU requirements for the user's Forms Client PC are slightly higher than for previous versions of Forms Server in order to provide equivalent performance.

Sending Forms data in an HTTP wrapper will likely increase network traffic, and may have an impact on the number of sessions that can be run simultaneously on lower speed connections.

9.3.1.2 Other Internet Deployment Options

If you do not choose to use the HTTP socket connection method, your other option is to set up a DMZ outside of your protected network that contains the application server. You can set up an IP-router to block all incoming packets except those destined for ports 80 (HTTP traffic) and 9001 (default port for the Forms Listener) in order to protect the DMZ. The risk with this approach is that the Forms Server Listener port is still vulnerable. If multiple Forms Server Listeners are used (for example, when hosting multiple applications or multiple languages) the risks increase.

In addition, the IP router should be backed by a multi-homed firewall residing in the DMZ that re-routes all incoming traffic from the IP router to the application servers in the DMZ. The application servers need to connect to the database in the trusted corporate network, so the multi-homed firewall also needs to re-route all Net8 traffic to the data server in the trusted corporate network.

A rotation schedule can be set up where different Forms Server Listeners are used at different times to reduce the chance of break-in, although this will not deter a serious hacker.

To shield the internal network from attacks, we recommend that you set up an extra firewall between the multi-homed firewall and the internal network to filter the IP packets and only pass Net8 traffic.

9.3.2 Deploying On a Local Area Network (LAN)

If all users who will access your Forms applications are located within your LAN, then basic internal network security is sufficient, and the Forms Server will not require any special configuration.

9.3.3 Deploying On a Network with Remote Dial-Up Access

If some users are located outside your LAN or secure WAN and will dial in for access to your Forms applications, then you will need a server designed specifically for remote access security. This scenario is ideal for employees who work offsite or for trusted customers who must access your LAN or WAN. This solution is not appropriate for implementations where more than 1000 users would need to access the LAN remotely.

Valid users are those who have been registered in your remote access server. Unregistered users do not have access. Remote Access Service (RAS) is a feature of Windows NT servers. A Windows NT RAS server can be used in this scenario as the remote access server.

A private WAN is often constructed with leased lines.To break in, an intruder would have to know the location of the leased lines and the wire codes of the lines used to transmit data. Under these conditions, a breach is unlikely.

If dial-up is via public phone lines, we recommend that you encrypt confidential data during transmission. Windows NT RAS servers include the Point-to-Point-Tunneling Protocol (PPTP), which can be used for encryption of confidential data over public dial-up lines. If you are not using a remote access server that provides an encryption protocol, see the following sections for other, more secure options for configuring Forms Server on your network.

There is a very small risk that an intruder can randomly dial the phone number for a remote access server, and then attempt multiple username/password combinations to log in to the LAN. However, remote access servers are more vulnerable to disgruntled ex-employees or customers who already know how to access the server.

To avoid this situation, we recommend the following precautions:

Rigorous security record maintenance, which will ensure that entries for former employees and customers are removed from the remote access server, auto-dialback unit, and all internal systems

Caller ID verification, which is a technique that only allows registered phone numbers to reach the remote access server

Auto dial back unit, which calls back the caller using a previously registered phone number

9.3.4 Deploying On a Network via Telecom-Provided VPN Access over Public Lines

As mentioned in the previous section, a conventional WAN is usually constructed with leased lines. However, if dial-up is via public phone lines, we recommend that you have a more secure method of user authentication and data transmission.

One option is to use a VPN, or virtual private network, available from your telecommunications provider. The telecommunications provider keeps a list of allowed users, and creates the VPN whenever an approved user dials in. Your network would still need a remote access server, as described in the previous section, so all of the security benefits and risks of the previous section apply here. (This solution is not appropriate for implementations where more than 1000 users would need to access the LAN remotely.)

The primary risk is vulnerability to disgruntled ex-employees or customers who already know how to access the server and are already on the VPN provider's registered users list. To eliminate this risk, be sure to keep current the list of approved users for both the remote access server and the VPN provider's registered users list.

9.3.5 Deploying On a Network via VPN Access over the Internet

If you plan to use the Internet as your means of dial-up access, we recommend that you have a secure method of user authentication and data transmission. One option is to use the Forms Server HTTP socket configuration, or HTTPS (HTTP 1.1 socket configuration with secure sockets layer for improved privacy, integrity, and authentication.) For more information about HTTP sockets, see Section 3.2, "Sockets, HTTP, or HTTPS".

Another option is to use a VPN over the Internet. With this method, data is transferred over the Internet in the form of IP (Internet protocol) packets. An IP packet is a group of bits (your data) along with a source and destination IP address.

If you set up a VPN over the Internet, you can save telecommunication costs. Remote users dial a local ISP rather than leased lines or an 800 number. You must configure and maintain the VPN software at your network, and the users who dial in must have compatible VPN software. If you set up an extranet connection where two LANs communicate via the Internet, all parties need to use compatible firewalls. If you have remote workers, some vendors offer mobile firewalls that can be used by remote workers; however, this adds significant cost and administrative time.

Most major firewall vendors have options for implementing a VPN over the Internet. Preferred VPNs use:

Strong user authentication, which includes a challenge/response mechanism rather than simply a username/password mechanism

Internal firewalls to control the access to more secure parts of the network

Data encryption to protect the data during its transport across the public network (This is called "IP tunneling," where the data in each IP packet is encrypted during its transport across the public network and decrypted at the destination.)

Risks involved with setting up a VPN over the Internet include:

If you do not use an HTTP socket connection, then your firewall may not allow data to pass. In some cases, you can configure your firewall and Forms Server to work around this problem by setting up a generic proxy.

Network performance is likely to degrade because of the extra processing required for strong authentication and data encryption.

Keys must be properly configured and managed.

Firewall configuration must be strictly managed so that ex-employees and ex-customers are de-registered.

Spoofing the firewall is a potential risk. (Spoofing is when an intruder arrives disguised as a trusted node on the network by forging a false address in IP packets, and sending those packets to your network. The intruder gets the false address by monitoring the traffic on your network and determining addresses that have been accepted by your network.) You can deter spoofing by using filters on your firewall.

9.4 Guidelines for Maintaining Network Security

If you are planning to implement a mission-critical application using Forms Server, security is a key issue. After determining the type of network environment you need, formulate a security policy to protect it. Refer to Chapter 10, "Security Considerations" for more detailed information.

After your application servers are up and running, you must continually maintain security. This is true particularly if your applications are accessed through the Internet because your site will likely be visited by hackers. The enforcement of a security policy is an ongoing process.

We have described several deployment options for intranet, extranet, and Internet Forms applications, and have looked at the associated impact on security. From this we can draw the following conclusions:

Intranet and extranet implementations using a dial-up WAN or dial-up VPN can be made reasonably safe with medium effort. As with a LAN, most attacks will be from the inside, so it pays to improve server protection and database user management. Encryption mechanisms should be used to protect confidential data from unauthorized users.

For intranet and extranet implementations over an Internet VPN, use strong authentication and encryption, as well as strong access control. Most major firewall vendors have VPN options to block access to unauthorized users, encrypt data over public networks, and provide user authentication.

A realistic implementation of security measures on the Internet is based on a combination of the following elements: